You are on page 1of 33

LAWS AND REGULATIONS GOVERNING THE

PROTECTION OF SENSITIVE BUT
UNCLASSIFIED INFORMATION

A Report Prepared by the Federal Research Division,
Library of Congress
under an Interagency Agreement with the
NASA Office of Inspector General

September 2004

Researchers: Alice R. Buchalter
John Gibbs
Marieke Lewis

Project Manager: Alice R. Buchalter

Federal Research Division
Library of Congress
Washington, D.C. 20540−4840
Tel: 202−707−3900
Fax: 202−707−3920
E-Mail: frds@loc.gov
Homepage: http://loc.gov/rr/frd/

1π 56 Years of Service to the Federal Government π

1948 – 2004

2

Library of Congress – Federal Research Division SBU Information

PREFACE

This report sets forth the statutes, regulations, and Executive Branch directives that define and
govern access to Sensitive But Unclassified (SBU) information. Although there is growing
concern in the post 9/11 world that guidelines for the protection of SBU (often referred to as
Sensitive Homeland Security Information) are needed, a uniform legal definition or set of
procedures applicable to all Federal government agencies does not now exist. Regulations are
reported to be under development in the Office of Management and Budget and the Department
of Homeland Security.

The dissemination of SBU technology is regulated through export controls administered by the
Departments of Commerce and State. This report outlines the general applicability of these
controls, as well as their applicability to missile and nuclear technology. This report also
delineates regulations and directives applicable to the Department of Defense, Department of
Energy, Federal Aviation Administration (and Transportation Security Administration), Nuclear
Regulatory Commission, and Department of State.

i

.................... Technical and Engineering Information.... Title III........... as Amended (5 USC 552).....................................................................................................14 Department of Defense...........................................................................L...................................................................................2 National Security Decision Directive 189 – National Policy on the Transfer of Scientific..............................................13 MISSILE TECHNOLOGY........ 116 Stat...........................13 Missile Technology Control Regime...........................12 NUCLEAR NONPROLIFERATION..10 Export Administration Act/Export Administration Regulations (EAR)...............................................14 National Defense Authorization Act for FY 1999 (P..................................................2 National Telecommunications and Information Systems Security Policy (NTISSP) No..5 Freedom of Information Act of 1966............................................. 95-242)....................................................... 106-278)................................. 2946)...............................i EXECUTIVE BRANCH DIRECTIVES REGARDING CLASSIFICATION AND PROTECTION OF FEDERAL INFORMATION...............................................Library of Congress – Federal Research Division SBU Information TABLE OF CONTENTS PREFACE..................................................................................................................................................................................................................................4 Future Initiatives..................................................3 National Security Directive 42 – National Policy for the Security of National Security Telecommunications and Information Systems........................................................................................Title XVII – Missile Technology Controls)...........................2 Presidential Directive/NSC 24..........................8 EXPORT CONTROLS.................................L.................................... Subtitle B – Satellite Export Controls)....................................................13 Iran Nonproliferation Act of 2000 (P.............................................. Title XV......................15 Unclassifed Information – General............................................................... Title VIII).....................................................................L....10 Arms Export Control Act/International Traffic in Arms Regulations (ITAR).......1 White House Memoranda..........................5 Attorney General FOIA Memorandum..........2 – National Policy on Protection of Sensitive... 105-261........L.....L.......................19 Department of Energy......12 Nuclear Proliferation Prevention Act (P..................................................................................................................................................................1 Executive Orders.......................................17 Unclassified Controlled Nuclear Information........................................ but Unclassified Information in Federal Government Telecommunications and Automated Information Systems............................................................................................................................................................................................................................................................5 Federal Information Security Management Act of 2002 (FISMA)(Public Law 107-347...........................................................................................................................15 Technical Data.. 101-510...................................................................................................1 Presidential and National Security Directives..............................................12 Nuclear Nonproliferation Act (P........................ 2899.......................................................................................................................................................................................................................4 FEDERAL LAWS APPLICABLE TO ALL GOVERNMENT AGENCIES REGARDING SENSITIVE BUT UNCLASSIFIED INFORMATION................................................ 2135).............20 iii ...................13 National Defense Authorization Act for FY 1991 (P.. 116 Stat.......................................................6 Homeland Security Act of 2002 (Public Law 107-296.............................................................. 103-236.......................................................3 National Security Decision Directive 145 – National Policy on Telecommunications and Automated Information Systems Security.5 Exemptions to FOIA..........

.................................................................................................................................................27 iv ................................21 Nuclear Regulatory Commission..............................................................................................................23 Transportation Security Administration.............................................................22 Department of State.....................................................Library of Congress – Federal Research Division SBU Information Federal Aviation Administration.....

1995 President William J.48863.8 (b) is unchanged.) The text of Section 1. plans. amending EO 12958 to “prescribe a uniform system for classifying.” (New language in italics. which “prescribes a uniform system for classifying. as well as other information that could be misused to harm the security of our nation and the safety of our people.” Classification levels (renumbered Section 1. a joint memorandum was issued by the Acting Director of the Information Security Oversight Office and the Co-Directors of the Justice Department’s Office of Information and Privacy providing guidance to all departments and agencies as to “safeguarding information regarding weapons of mass destruction and other sensitive records related to homeland security. On March 25. President George W.5 classification categories (types of information eligible for classification). safeguarding. The memo directs recipients to “undertake an immediate reexamination of current measures for identifying and safeguarding” Government information in their respective department or agency “regarding weapons of mass destruction.8 (b) prohibits the designation of “classified” to be applied to “basic scientific research information not clearly related to the national security. infrastructures. Section 1.Reg. Bush issued EO 13292 (68 Fed.15315. Pursuant to the White House memo. they should contact the Justice Department’s Office of Information and Privacy. White House Chief of Staff Andrew H.Library of Congress – Federal Research Division SBU Information PART I – FEDERAL LAWS AND REGULATIONS EXECUTIVE BRANCH DIRECTIVES REGARDING CLASSIFICATION AND PROTECTION OF FEDERAL INFORMATION Executive Orders On April 17.7 (b). projects. and declassifying national security information. Jr.66089. or protection services relating to the national security.usdoj.19825. Clinton issued Executive Order (EO)12958. November 23. and declassifying national security information.gov/04foia/index/html/. 1995) Section 1. issued a memorandum to the heads of all executive departments and agencies regarding the safeguarding and protection of sensitive homeland security information.” Agencies are advised that for assistance in applying exemptions of the Freedom of Information Act (FOIA) to sensitive but unclassified information.Reg. Card.” (60 Fed.3 establishes classification levels. 1995). White House Memoranda On March 19. or consult OIP’s FOIA Web site at http://www. The list of classification categories (renumbered Section 1. technological. installations. 1999). or economic matters relating to the national security” to include “defense against transnational terrorism.2) remain the same.” The memo states that “in addition to information that could reasonably be expected to assist in the development or use of weapons of mass destruction.” and expands a previous category to now cover “vulnerabilities or capabilities of systems. September 18. which includes defense against transnational terrorism. April 29. safeguarding. including information relating to defense against transnational terrorism. 2003).” Technical amendments were made by EO 12972 (60 Fed. but is renumbered Section 1.4) redefines “scientific. and Section 1.” the 1 .Reg.Reg. 2003. and EO 13142 (64 Fed. 2002. March 28.

usdoj.” The Secretary of Defense was designated as the Executive Agent for communications security (COMSEC) to “protect government-derived unclassified information.” Agencies are advised to process any FOIA request for records containing “sensitive but unclassified information related to America’s homeland security” in accordance with the Attorney General’s October 12. the products of fundamental research remain unrestricted. The directive also states as policy that “where the national security requires control. “departments and agencies maintain and control sensitive information related to America’s homeland security that might not meet one or more of the standards for classification set forth … in Executive Order 12958. It states: “It is the policy of this Administration that. universities and laboratories is classification. together with the benefits that result from the open and efficient exchange of scientific. non- proprietary or national security research. 2003 FOIA Post (issued by OIP) references a June 25. 1985.” 2 .” The July 3.gov/oip/foiapost/2002foiapost10. and like information. Technical and Engineering Information The Reagan White House issued this directive on September 21. The need to protect such sensitive information from inappropriate disclosure should be carefully considered. Presidential and National Security Directives Presidential Directive/NSC 24 President Jimmy Carter issued PD/NSC-24 on November 16.” This document can be accessed at the Carter Library Web site: http://www. 1977.org/documents/pres_directive. the mechanism for control of information generated during federally-funded fundamental research in science. where appropriate due to its particular sensitivity rather than on the basis of any catch-all label such as ‘sensitive but unclassified information. This policy stipulated that “unclassified information transmitted by and between Government agencies and contractors that would be useful to an adversary should be protected.phtml National Security Decision Directive 189 – National Policy on the Transfer of Scientific.” Fundamental research is defined as basic and applied. the results of which are generally published and shared broadly within the scientific community. technical.’” The above memoranda were posted by the Justice Department on March 21. on a case-by-case basis. and the Secretary of Commerce as Executive Agent “for communications protection for government-derived unclassified information (excluding that relating to national security). 2003 FOIA Officers conference at which the above memoranda were described as “placing primary emphasis on the safeguarding of information. 2002 at http://www. 2001 FOIA Memorandum. to the maximum extent possible.htm. establishing a National Telecommunications Protection Policy. technology and engineering at colleges.Library of Congress – Federal Research Division SBU Information classification of which is described elsewhere in the memo.jimmycarterlibrary. “by giving full and careful consideration to all applicable FOIA exemptions.

Government Printing Office. Energy Secretary Spencer Abraham recommended the reissuance of NSDD-189.”2 The text of this directive is contained in Appendix B to Defending Secrets.” 1 http://www. but there was concern that it could have been extended to private sector contractors of the Federal Government as well. but Unclassified Information in Federal Government Telecommunications and Automated Information Systems This policy directive was issued by National Security Adviser John Poindexter on October 29. Rice’s position was reaffirmed by White House Office of Science and Technology Policy Director Marburger in a talk at the National Academy of Sciences on January 9. citing Dr. DC: U.edu/unit/vprgs/exportregs. National Security Advisor Condoleeza Rice stated that until the Bush Administration completes its review of the export control policies that affect basic research. and engineering information set forth in NSDD-189 shall remain in effect. part 1 and part 2 – provide extensive background information on the controversy surrounding NTISSP No. 100- 153. and we will ensure that this policy is followed. 3 . 100-235) – H. it shall not be controlled. it was reported that Dr. Rice’s letter as confirmation that “unless a legal basis exists to control basic research (either by classification or some other means). “the policy on the transfer of scientific. 2001 letter to the Center for Strategic & International Studies. users. setting new classification criteria for information formerly unclassified. 2003 memorandum to all department heads.htm 2 The two House committee reports issued pursuant to H. a policy is established whereby “systems handling sensitive. government or government-derived information. the loss of which could adversely affect the national security interest.2 – National Policy on Protection of Sensitive.2. OTA-CIT-310 (Washington.S. National Security Decision Directive 145 – National Policy on Telecommunications and Automated Information Systems Security This directive. and posted on the Michigan State University Web site. this directive is significant because it “added a new ‘sensitive but unclassified’ category of Federal information. shall be protected in proportion to the threat of exploitation and the associated potential damage to the national security.” In support of the objectives enumerated. It would not only have affected managers.” In an outline of SBU definitions prepared by the Association of American Universities in February 2003. 1986. but unclassified. Sharing Data: New Locks and Keys for Electronic Information. 1984.Rept. technical. as well as the testimony the committees received regarding NSDD-145. According to the House Committee considering legislation that later became the Computer Security Act of 1987 (P.L. No.R.Library of Congress – Federal Research Division SBU Information In a November 1. 100-235).1 In a May 12.msu. “establishes initial objectives of policies. and programmers of information systems within the Federal Government.L. potentially restricting the type of information and data released. 2003. 1987). 145 (which became P. and an organizational structure to guide the conduct of national activities directed toward safeguarding systems which process or communicate sensitive information from hostile exploitation.” National Telecommunications and Information Systems Security Policy (NTISSP) No. and five months later rescinded by National Security Adviser Frank Carlucci. signed by President Reagan on September 17.

policies..org/irp/offdocs/nsdd145. 107th Cong. which will review and evaluate the security status of telecommunications and automated information systems that handle “sensitive government or government-derived information. 2002.pdf.Library of Congress – Federal Research Division SBU Information The directive establishes a Cabinet-level Systems Steering Group. GAO raised concern that the directive “could significantly affect the management of systems by civil agencies and commercial interests” because it failed to define the types of information included in the new SBU category. Government national security systems shall be secured by such means as are necessary to prevent compromise.fas.” 3 U. 26-27 (2002).tamu. November 1993. On Science. State and local law enforcement personnel.” The Group will also recommend steps to protect this information. Bush on July 5. denial or exploitation. the loss of which could adversely affect the national security interest. A 1993 GAO report on communications privacy attributes the authorship of this directive to the Department of Defense.” It states as policy that “U. and an organizational structure to guide the conduct of activities to secure national security systems from exploitation. Communications Privacy: Federal Policy and Actions. He also testified that the designation Sensitive Homeland Security Information was not a new category of information. National Security Directive 42 – National Policy for the Security of National Security Telecommunications and Information Systems This directive was issued by President George H. and complements and does not supersede existing mechanisms for classification and de-classification of government information.4 He stated that on the subject of sensitive information.edu/research/nsd/NSD/NSD%2042/0001. GAO/OSI-94-2.” NSD-42 can be accessed at http://bushlibrary. 1990.g. the Office of Homeland Security had asked the Office of Management and Budget “to develop guidance for federal agencies to ensure consistency of treatment of ‘sensitive homeland security information’ across the Federal Government and by the recipients of such information.” e.3 NSDD-145 can be accessed at http://www. OSTP Director Marburger testified before the House Science Committee on the nexus of homeland security and science.” and “identify categories of sensitive non-government information.S. would have a designation “implemented under existing law and policy.S.W. The vast majority of government information is and will remain publicly accessible. It “establishes initial objectives. 4 Conducting Research During the War on Terrorism: Balancing Openness and Security: Hearing Before the House Comm. because it is not classified information. 4 . but rather “the type of information that the government holds today which is not routinely released to the general public. General Accounting Office. Future Initiatives On October 10. “except for ongoing telecommunications protection activities mandated by and pursuant to PD-24 and NSDD-145.” This directive also rescinds NSDD-145. In 1985 testimony before Congress.htm.” SHSI.

” This guide also notes that categories of homeland-security information like SBU and SHSI have not been classified 5 http://www. 2001. FEDERAL LAWS APPLICABLE TO ALL GOVERNMENT AGENCIES REGARDING SENSITIVE BUT UNCLASSIFIED INFORMATION Freedom of Information Act of 1966. published by the Department of Justice. providing a new statement of Administration policy on the Freedom of Information Act. enforceable in court.” Agencies are encouraged to “carefully consider the protection” of the values and interests enumerated in this memorandum “when making disclosure determinations under the FOIA. Justice will defend this decision “unless it lacks a sound legal basis or presents an unwarranted risk of adverse impact on the ability of other agencies to protect other important records. government. In the FOIA Guide discussion of Exemption 1. protecting sensitive business information. and preserving personal privacy. A “guidance document” will be developed by the Administration.”5 Exemption 1 is information classified in the interest of national defense or foreign policy. If any agency decides to withhold records. as Amended (5 USC 552) Attorney General FOIA Memorandum On October 12. federal departments and agencies are advised that in light of the greater emphasis (post-9/11) “placed on the protection of information that could expose the nation’s critical infrastructure. and citizenry to an increased risk of attack. to obtain access to federal agency records. It confirms the Administration’s commitment to protecting fundamental values –“ safeguarding our national security.usdoj. in whole or in part.gov/oip/foi-act. enhancing the effectiveness of our law enforcement agencies. and other explanatory material. except to the extent that such records (or portions of them) are protected from public disclosure by one of nine exemptions or by one of three special law enforcement record exclusions.htm 5 . Attorney General Ashcroft issued a memorandum to the heads of all federal departments and agencies. and published in the Federal Register for comment.gov/oip/foiapost/2001foiapost19.Library of Congress – Federal Research Division SBU Information Director Marburger indicated that the Administration had begun meeting with various public interest groups. can be accessed at the Justice Department Office of Information and Privacy FOIA Post Web site: http://www. states that the “Freedom of Information Act generally provides that any person has a right.htm Exemptions to FOIA The Freedom of Information Act Guide. to garner advice on developing a definition of SHSI. representatives of State and local government. May 2004. and the academic community.” Decisions to disclose information protected under the FOIA should be made in consultation with the Department of Justice’s Office of Information and Privacy.” they should “carefully consider the sensitivity of any information the disclosure of which could reasonably be expected to cause national security harm.usdoj. military.” This memorandum.

NIST’s mandate has been re-written by the provisions of P. 15 U. 8 Under the provisions of the Computer Security Act of 1987. and (C) availability. 278g-38): NIST is tasked to develop “standards.nist. 100-235. including means for protecting personal privacy and proprietary information. which means guarding against improper information modification or destruction. or destruction in order to provide – (A) integrity.” Although the definition of “sensitive information” contained in that law is often cited as being applicable to SBU information.” In the FOIA Guide discussion of Exemption 2. 6 . guidelines. 6 39 Weekly Comp. 2899. making this definition moot. 107-347.” Development of Standards and Guidelines (Section 303.L.S. modification. Doc. 1816 (December 22. Title III. and associated methods and techniques for information systems.No.L.Rep. which means ensuring timely and reliable access to an use of information.” The law also consolidates existing statutory information security requirements. 2946) Purpose (Section 301): As stated in the House Committee on Government Reform report accompanying the initial bill. and strengthening the role of the National Institute of Standards and Technology (NIST). Part 1.” Federal Information Security Management Act of 2002 (FISMA)(Public Law 107-347.Library of Congress – Federal Research Division SBU Information pursuant to EO 12958. NIST was given responsibility for developing standards and guidelines for “the protection of sensitive information in Federal computer systems. the purpose of this law is “to further strengthen Federal information security by requiring compliance with minimum mandatory management controls for securing information and information systems. use. 7 H. 2003). including those contained in the Computer Security Act of 1987. Contrary to the caveats contained in the discussion of Exemption 1. (B) confidentiality. and availability. and includes ensuring information nonrepudiation and authenticity. Pres. at 54 (2002). which means preserving authorized restrictions on access and disclosure. P. 107-347. it is noted that the courts have interpreted this exemption to include “more substantial internal matters. disclosure.C. disruption.7 Definition of information security (Section 301): “Protecting information and information systems from unauthorized access. the disclosure of which would risk circumvention of a legal requirement. and states that since September 11.gov/publications/nistbul/cs192-11. 107-787. this section of the guide advises agencies that employ safeguarding labels (like SHSI) for information that has special sensitivity to “carefully consider the propriety of protecting such information under Exemption 2. the courts have deemed “nonclassified but nonetheless highly sensitive information” exempt from disclosure “in order to avoid the harms described in” Homeland Security Presidential Directive/HSPD-76 and the Attorney General’s FOIA Memorandum.txt) These are the same criteria used in the definition of information security in P.L. clarifying and strengthening current management and reporting requirements. Note also that the Bulletin issued by NIST in November 1992 clarifying the meaning of “sensitivity as applied to agency information systems” states that “protecting sensitive information means providing for one or more of the following: confidentiality. 116 Stat. and that these terms “might not even fall within any of the FOIA exemptions.” The guide enumerates types of information that may warrant Exemption 2 protection.” (http://csrc.” Exemption 2 of the FOIA exempts from mandatory disclosure records that are “related solely to the internal personnel rules and practices of an agency. integrity.” and that this category of information “is of fundamental importance to homeland security.

Impact levels are based on the security categorization definitions in FIPS Publication 199. NIST views its first task as the development of standards to be used by all Federal agencies for categorizing information and information systems.nist. “at a minimum: (1)(A) standards to be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. and assigning impact levels for confidentiality. for providing adequate information security for all agency operations and assets. http://www. In this publication. NIST published Federal Information Processing Standards (FIPS) Publication 199. NIST issued an initial draft of Special Publication 800-53.gov/publications/nistir/IR7111-CSDAnnualReport.gov/sec-cert. maintain its day-to-day functions. which establishes a set of minimum security controls for low. and protect individuals. protect its assets. See also The New FISMA Standards and Guidelines.nist.Library of Congress – Federal Research Division SBU Information standards and guidelines.csrc.” Implementation Pursuant to P. moderate. (B) guidelines recommending the types of information and information systems to be included in each such category. Recommended Security Controls for Federal Information Systems. and standards and guidelines.gov/sec-cert/ca-categorization. and high—on organizations should there be a breach of security (loss of confidentiality. integrity. this publication will stand 9 NIST Computer Security Division. Standards for Security Categorization of Federal Information and Information Systems (http://www. “The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission. 10 http://www. Security categories are to be used in conjunction with vulnerability and threat information in assessing risk. 2003 Annual Report (June 2004). for information systems used or operated by an agency (or its contractors). or availability). NIST also issued an initial public draft of Special Publication 800-60. When completed. and high impact information systems (based on the security categorization definitions in FIPS Publication 199). including minimum requirements. fulfill its legal responsibilities. including minimum requirements. and (C) minimum information security requirements for information and information systems in each such category.” The publication defines three levels of potential impact—low. 7 .10 On October 31.gov/publications/fips/index.pdf. integrity. 107-347. In December 2003.html.” These standards and guidelines are to include.nist. and availability.html). moderate.9 In December 2003. 2003.csrc.nist.L.csrc. Guide for Mapping Types of Information and Information Systems. and (2) a definition of and guidelines concerning detection and handling of information security incidents. to assist Federal agencies in identifying information types and information systems. written by NIST’s Computer Security Division and posted at http://csrc.

and protects classified and sensitive but unclassified information to enhance homeland security. 116 Stat.gov/publications/drafts. SUBTITLE I – THE “HOMELAND SECURITY INFORMATION SHARING ACT” Initial finding: “The Federal Government collects.14 11 http://www.nist. sensitive law enforcement information. 12 CSD 2003 Annual Report. 45149 (July 31. The recommendations for baseline (minimum) security controls published in Special Publication 800-53 “can subsequently be used as a starting point for and input to the organization’s risk assessment processes and the development of security plans for those information systems. Section 892 (c)(2) provides that these procedures may include.”12 Homeland Security Act of 2002 (Public Law 107-296. 14 68 Fed.Reg. and identify and safeguard homeland security information that is sensitive but unclassified. 8 .” Authority to promulgate these procedural regulations was delegated to the Secretary of Homeland Security in Executive Order 13311 (July 2003).whitehouse.”13 TITLE VIII. intelligence sources and methods.” Sharing and identification of information: Section 892 (a) mandates the President to prescribe and implement procedures under which relevant Federal agencies “share relevant and appropriate homeland security information with other Federal agencies. including those addressing information analysis and infrastructure protection. 12.html. and other provisions of the law.11 Federal agencies are required under FISMA to use the NIST guidelines (FIPS Publication 199) to define security categories for their information systems. “with respect to information that is sensitive but unclassified. 2135) Statement of Intent: Section 306 (a) stipulates that “to the greatest extent practicable. manages.Library of Congress – Federal Research Division SBU Information as NIST interim guidance until 2005. and appropriate State and local personnel. 2003). including the Department of Homeland Security.” President Bush’s signing statement accompanying this law states that the executive branch will “construe and carry out” this section. creates. which is the statutory deadline to publish mandatory minimum security requirements for Federal information systems.” The President is mandated to ensure that these procedures apply to all agencies of the Federal Government.gov/news/releases/2002/11/print/20021125-10. 13 http://www. research conducted or supported by the Department of Homeland Security (DHS) shall be unclassified.csrc. entering into nondisclosure agreements with appropriate State and local personnel.html. “in a manner consistent with the President’s constitutional and statutory authorities to control access to and protect classified information. and information the disclosure of which could otherwise harm the foreign relations or national security of the United States.

this function has been delegated to the Secretary of Homeland Security. 2004).” Report to Congress: Section 893 mandates the President to report to Congress within 12 months on the implementation of Section 892. for further discussion of this new exemption to FOIA (http://www. 2003 (68 Fed. 17 69 Fed. State.16 The term “covered federal agency” refers to the Department of Homeland Security.htm). these procedures have not been finalized. interdependency study.15 Implementing regulations: In a February 18. Pursuant to Executive Order 13311. 2004 letter to the Federation of American Scientists responding to a FOIA request.Library of Congress – Federal Research Division SBU Information Definition of homeland security information: “Any information possessed by a Federal.”17 The proposed rule that the Department had issued on April 15. 107-296 “regarding the receipt. 2004) reported that this report was submitted to Congress on February 20.Reg.” TITLE II. interdict. 2004. did not receive a response.” shall be exempt from disclosure to the general public under the Freedom of information Act.18523) would have enabled other Federal government entities to act as conduits of CII to DHS. 9 . with request for comments by May 20. Critical infrastructure information (CII) is defined to include information “not customarily in the public domain and related to the security of critical infrastructure or protected systems. (C) would improve the identification or investigation of a suspected terrorist or terrorist organization.8074 (February 20. or disrupt terrorist activity. establishing procedures to implement Section 214 of P.usdoj. to identify and obtain the text of this report. 2004. posted January 27. In response to 15 FOIA Post (posted February 27. the Department of Homeland Security stated that pursuant to Section 892 of the Homeland Security Act.” the interference or incapacitation of which would have a debilitating effect on interstate commerce. recovery.L. the Department was “currently working to develop procedures for the sharing of sensitive homeland security information. 2004 the Department of Homeland Security issued an interim rule. SUBTITLE B – “CRITICAL INFRASTRUCTURE INFORMATION ACT OF 2002” Protection of Voluntarily Shared Critical Infrastructure Information: Section 214 provides that “critical infrastructure information (including the identity of a submitting person or entity) that is voluntarily submitted to a covered Federal agency for use by that agency regarding the security of critical infrastructure and protected systems. or public health or safety. or local agency that (A) relates to the threat of terrorist activity. Implementing Regulations: On February 20. However. analysis. or other informational purpose. Inquiries to the Department of Homeland Security by this author. (B) relates to the ability to prevent. reconstitution. Homeland Security Law Contains New Exemption 3 Statute. and storage of critical infrastructure information voluntarily submitted to the Department of Homeland Security. 16 See FOIA Post. effective on that date.Reg.gov/oip/foiapost/2003foiapost4. (Section 212). or (D) would improve the response to a terrorist act. national security. warning. care. 2003.

The text of this directive can be accessed at http://www. consultants. on May 11.org/sgp/othergov/dhs-sbu. It also applies to other sensitive but unclassified information received by DHS from other government and non-governmental activities. or other programs or operations essential to the national interest.C. a caveat in the introduction that leaves the door open for expanding coverage to other Federal agencies: “After the Protected CII Program has become operational. and inquiries conducted to determine appropriate administrative or disciplinary action. 10 . defined as “unclassified information of a sensitive nature. The directive enumerates 11 types of information that will be treated as FOUO information.S. posted February 27. As stated in the introduction to the final rule: “Recognizing that. “This directive establishes DHS policy regarding the identification and safeguarding of sensitive but unclassified information originating within DHS. 2004 DHS issued a press release announcing the “launch of the Protected Critical Infrastructure Information (PCII) Program.”18 On February 18. also significant program oversight challenges. 11042. for additional discussion (http://www. 107-296. Any compromise or unauthorized disclosure of FOUO information will be reported.” Revisions have been made to clarify that only DHS and no other Federal government entity shall be the recipient of voluntarily submitted CII.fas. it is significant in that it imposes new access controls on Sensitive But Unclassified information. not otherwise categorized by statute or regulation. however. the unauthorized disclosure of which could adversely impact a person’s privacy or welfare. 2778 and 2794 (7)) provides authority to designate. more importantly. 18 See also FOIA Post. the conduct of Federal programs. defense articles and services.” This SBU information is identified using the term For Official Use Only (FOUO). EXPORT CONTROLS Arms Export Control Act/International Traffic in Arms Regulations (ITAR) The Arms Export Control Act (22U. and others to whom access is granted will be required to execute a DHS Form 11000-6. implementation of such a provision would present not only operational but.gov/oip/foiapost/2004foiapost6.usdoj. 2004.html. issued by the State Department pursuant to this law. and pending additional legal and related analyses. the Department has removed references throughout the rule to indirect submissions. Sensitive But Unclassified Information Non-Disclosure Agreement (NdA) upon initial assignment to DHS. Critical Infrastructure Information Regulations Issued by DHS. at this time. control the licensing of exports of defense articles. however. DHS employees. and control the export of. including classified and unclassified technical data.Library of Congress – Federal Research Division SBU Information critical comment. The International Traffic in Arms Regulations (22 CFR Parts 120-130). the Department anticipates the development of appropriate mechanisms to allow for indirect submissions in the final rule and would welcome comments on appropriate procedures for the implementation of indirect submissions. All items designated defense articles and defense services constitute the United States Munitions List (USML) (22 CFR Part 121). 2004 the Department of Homeland Security issued Management Directive No.” Internal Directive: Under authority of P.L. contractors.htm). There is.” Although this is an internal directive. access to which is based on “need-to-know” as determined by the holder of the information. the final rule does not allow for indirect submissions.

” Technical information does not include information in the public domain (defined to include information generally available or accessible to the public through fundamental research). vessel. 105-121 (Section 1513).S. “For the provision of technical data and defense services. operation. production. U. testing. Defense Service defined (22 CFR Part 120. Munitions List. including its design. placing these satellites on the U. or both. development. is in the public domain. Under the ITAR exemption. production.” Prohibited from this exemption are defense services or technical data “for the integration of the satellite or spacecraft to the launch vehicle.10.Reg. P. of not regulating fundamental research. modification. 2002). or reports. repair. This transfer had been mandated by the National Defense Authorization Act Fiscal Year 1999. Technical data includes “information … required for the design. manufacture. manufacture. or making untrue statements of a material fact in license applications. 19 67 Fed. operation. assembly. in the U.S. destruction. consistent with NSDD-189.11): A defense article is any item or technical data designated in the Munitions List. demilitarization. development. Licenses for the Export of Defense Articles (22 CFR Part 123) The transfer of registration or control to a foreign person of any aircraft. The State Department’s interim final rule19 clarified that the transfer to the USML did not change the Department’s policy. accredited institutions of higher learning are permitted to export defense articles fabricated only for fundamental research purposes to similar institutions or government research centers in NATO and major non-NATO ally countries. Munitions List qualifies as an export. repair. the exemption allows these same institutions the authority to provide defense services related to the assembly and integration of [defense articles fabricated for fundamental research purposes] into a scientific. The exemption for fundamental research was amended in March 2002 pursuant to concerns raised over the March 1999 transfer of licensing jurisdiction for commercial communications satellites to the State Department. research or experimental satellite when working with the same set of countries. or of the Missile Technology Control Regime (MTCR) controlled defense services or technical data. maintenance.” Sanctions (22CFR Part 127) Any person convicted of willful violations of export licensing requirements.6.” Also includes furnishing technical data to foreign nationals. assembly. shall be subject to a fine or imprisonment. registrations. in the design.Library of Congress – Federal Research Division SBU Information Defense article/Technical data defined (22 CFR Part 120. processing or use of defense articles. and requires a license or written approval from the Office of Defense Trade Controls. Part 126. testing. or satellite on the U. Numerous exemptions are listed that apply to exports of unclassified defense articles for which no approval is needed from the Office of Defense Trade Controls.L. or abroad.S. and Part 126. engineering. maintenance or modification of defense articles. 11 . as long as all the information about the article.S. 15099 (March 29.9): “Furnishing of assistance to foreign persons.

and technology) controlled for national security purposes. August 22.2): Violations of the EAR (e.. Items on the CCL cannot be exported to foreign countries without appropriate export license.S. possession of controlled item with intent to export or reexport. the EAR exempts fundamental research from licensing requirements.2401-2420) provides the statutory authority for the Export Administration Regulations (EAR) administered by the Department of Commerce (15 CFR Parts 730-774).”21 Exemption for fundamental research (15 CFR Part 734.Reg. or any release of technology or source code subject to the EAR to a foreign national. evasion or violation of licensing requirements) are subject to civil penalties or denial of export privileges. software.C. 48763. Government maintains controls on exports of nuclear-related items under the authority of the Nuclear Nonproliferation Act of 1978 (P.gov/PoliciesAndRegulations/04ForPolControls/Chap12_Nucs. 95-242) According to the Commerce Department Bureau of Industry and Security’s 2004 Foreign Policy Controls report. 2001 (66 Fed. “Fundamental research” is defined as “basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community.Reg. as amended (50U. when technology is exchanged orally. Presidential Notice of August 6.8): As in the ITAR.doc.22 One of the purposes of P. An export of technology or source code is ‘deemed’ to take place when it is released to a foreign national within the United States. 2005. 95-242 is ensuring 20 Executive Order 13222. production. Because the Export Administration Act has expired. and product utilization.e.app. 2004) extends the authorities granted in E0 13222 until August 17. 95-242) in order to further the country’s nuclear nonproliferation policy.gov/DeemedExports/DeemedExportsFAQs. The CCL is contained in 22 CFR Part 774.” Sanctions (15 CFR Part 764. Willful violations of the EAR’s licensing requirements or controls are subject to criminal penalties.g. the U. and has not yet been reauthorized by Congress. August 10.20 The Commerce Department’s Bureau of Industry and Security maintains the Commerce Control List (CCL) within the EAR. foreign policy controls and short-supply purposes. 2004 (69 Fed.L. design.2(b)(2): “Any release of technology or software subject to the EAR in a foreign country.L. 22 http://www.S. commodities.bxa. 21 The Commerce Department’s Bureau of Industry and Security provides answers to frequently asked questions about “deemed exports” at http://www. or when technology is made available by practice or application under the guidance of persons with knowledge of the technology. 2001).htm 12 . NUCLEAR NONPROLIFERATION Nuclear Nonproliferation Act (P. It is distinguished from proprietary research and from industrial development.bxa. Definition of export of technology or software (15 CFR Part 734. which includes items (i. the export licensing system of the Export Administration Act currently operates under authority of the International Emergency Economic Powers Act.Library of Congress – Federal Research Division SBU Information Export Administration Act/Export Administration Regulations (EAR) The Export Administration Act of 1979.. issued August 17.doc. 44025.L. Technology or software is ‘released’ for export when it is available to foreign nationals for visual inspection.html.

htm 13 . Munitions List. the Department of Commerce has adopted licensing requirements: 15 CFR Part 742.” Such persons will be prohibited from purchasing any item on the U.L. or of ballistic or cruise missile systems. Title VIII) This law imposes sanctions on U. over its exports of nuclear materials and equipment and of nuclear technology.Library of Congress – Federal Research Division SBU Information effective controls by the U. or non-nuclear-weapon state to acquire unsafeguarded special nuclear material or to use. biological. and foreign persons who “materially and with requisite knowledge contribute. These regulations apply to the export of commodities. group. the Missile Technology Control Regime. transfers to Iran either goods. special nuclear material. Pursuant to this law. services. develop. or software that either could be of significance for nuclear explosive purposes. operation or maintenance of a uranium enrichment or nuclear fuel reprocessing facility or a facility for the production of heavy water. services. or that the exporter knows will be used for nuclear explosive activities or safeguarded or unsafeguarded nuclear activities. production or utilization facilities.S. and the Wassenaar Arrangement.S. or technology prohibited for export to Iran because of their “potential to make a material contribution to the development of nuclear. through the export from the U.. the Missile Technology Control Regime (MTCR) was created by the United States and six other nations in 1987 to limit the proliferation of missiles capable of delivering nuclear weapons. related technology. e. to the efforts of any individual. 1999.gov/PoliciesandRegulations/04ForPolControls/Chap8_MTCR. produce. Iran Nonproliferation Act of 2000 (P. Nuclear Proliferation Prevention Act (P. and will be denied licenses for items controlled by the Export Administration Act Regulations.g. fabrication. MISSILE TECHNOLOGY Missile Technology Control Regime According to the Department of Commerce Bureau of Industry and Security (BIS). construction. 95-242.2 (Restrictions on certain nuclear end-uses).3 (CCL Based Controls – Nuclear Nonproliferation) and 15 CFR Part 744. stockpile. may not be used for any nuclear explosive device or for research on or development of any nuclear explosive device. as well as defense articles and services under the Arms Export Control Act.S.L. or otherwise acquire any nuclear device. or technology listed on control lists of international consortia. The law defines “sensitive nuclear technology” as: “Any information (including information incorporated in a production or utilization facility or important component part thereof) which is not available to the public and which is important to the design.L. the Nuclear Suppliers Group. and any sensitive nuclear technology.” The law further provides that the export of source material.bxa. on or after January 1. 103-236. or any other country of any goods or technology.S.23 It now has 33 23 http://www.doc. or non-controlled goods. or chemical weapons. 106-278) This law requires the President to report to Congress any foreign person who.” The term “goods and technology” is defined to include “sensitive nuclear technology” as it is defined in P.

Subtitle B – Satellite Export Controls) This law sets as policy that the United States should not export to the People’s Republic of China missile equipment or technology that would improve its space launch capabilities.” A fact sheet prepared by the Department of State Bureau of Nonproliferation indicates that the guidelines “restrict transfers of ‘missiles’ – defined as rocket systems (including ballistic missiles. Software and Technology Annex form the basis for U.Title XVII – Missile Technology Controls) Public Law 101-510 amends both the Arms Export Control Act and the Export Administration Act to include on the control lists of the ITAR.state.L. review factors. space launch vehicles. 24508.gov/t/np/rls/fs/27514. 2004).S. and goods and technology that would provide a direct and immediate impact on the development of missile delivery systems and are not included in the MTCR Annex but which the United States is proposing to the other MTCR adherents to have included in the MTCR Annex..mtcr.htm 14 . Title XV.Reg. “ all dual use goods and technology on the MTCR Annex.” Any foreign or United States person who knowingly violates the abovementioned two acts will be denied licenses for the transfer of missile equipment or technology. The most recent final rule amends the Commerce Control List (69 Fed. National Defense Authorization Act for FY 1991 (P.e. In January 1993. PART II – AGENCY REGULATIONS 24 http://www. respectively. and EAR. the focus of the Regime was expanded to include missiles for the delivery of chemical or biological weapons. 105-261. and sounding rockets) and unmanned aerial vehicle systems capable of delivering weapons of mass destruction – and their related equipment and technology.info/english/index.L.5 (CCL Based controls – Missile Technology) and 15 CFR Part 744. and require validated licensing for.Library of Congress – Federal Research Division SBU Information member countries. The U. The Annex is a list of missile-related items. The BIS 2004 Foreign Policy Controls report states that “the MTCR Guidelines and the Equipment.S. including technical assistance and technical data.24 The full text of both the Guidelines and the Annex can be accessed on the MTCR Web site: http://www. procedures. May 4. It also requires that when licenses are approved for the export of a satellite or related items for launch in a foreign country. Government requires a license for the export or reexport to all destinations (except Canada) of those dual-use.3 (Restrictions on certain missile end-uses). i. 101-510. The relevant sections of the CFR implementing these controls are 15 CFR Part 742. and requires prior certification of these exports to that effect. The Export Administration Regulations (EAR) are revised periodically to reflect changes to the MCTR Annex agreed to by member countries at annual plenary sessions. items specifically identified on the CCL as controlled for missile technology reasons. National Defense Authorization Act for FY 1999 (P. the Secretary of Defense must monitor all aspects of the launch to ensure that no unauthorized transfer of technology occurs. Missile technology controls. for civilian and military purposes.html. and standard assurances on missile technology exports. and nuclear weapons. The MTCR Guidelines provide licensing policy.

Record copies of DoD UCNI documents shall be disposed of in 15 . or facilities. transmission outside CONUS must be via approved secure communications circuits. Within the Department of Defense.1-R. There is no requirement to remark existing material containing SBU information. DEA Sensitive information is unclassified information that is originated by DEA and requires protection against unauthorized disclosure to protect sources and methods of investigative activity. Information Security Program. procedures. there are other types of information that require application of controls and protective measures for a variety of reasons. AP3 Appendix 3 Document Title: DOD 5200. and the integrity of pretrial investigative reports. evidence. electronic transmission of DoD UCNI shall be over approved secure communications circuits. DoD UCNI may be transmitted by first class mail in a single. This Appendix identifies SBU information from the Department of State. and equipment) for the physical protection of DoD Special Nuclear Material (SNM). the Department of Defense has agreed to implement protective measures for DEA Sensitive information in its possession. the inner one marked “DEA Sensitive” on both sides. DoD Unclassified Controlled Nuclear Information (DoD UCNI) is unclassified information on security measures (including security plans.Library of Congress – Federal Research Division SBU Information DEPARTMENT OF DEFENSE Unclassifed Information – General Topic: Definition. the Drug Enforcement Agency. Except in emergencies. Electronic transmission of DEA Sensitive information within CONUS should be over secure communications circuits whenever possible. Marking Document Number: DOD 5200. The Administrator and certain other officials of the DEA have been authorized to designate information as DEA Sensitive. and DoD Unclassified Controlled Nuclear Information.83. Access to DoD UCNI shall be granted only to persons who have a valid need-to-know the information and are specifically eligible for access under the provisions of DoD Directive 5210. Special Types of Unclassified Information Requiring Protection Source Organization: Department of Defense Description/Summary: In addition to FOUO and “Sensitive” information. or facilities. January 1997. diversion. Information is designated DoD UCNI only when it is determined that its unauthorized disclosure could reasonably be expected to have a significant adverse effect on the health and safety of the public or the common defense and security by increasing significantly the likelihood of the illegal production of nuclear weapons or the theft. and explains the nature of the information and the procedures for identifying and controlling it. Non-government package delivery and courier services may not be used. When SBU information is included in DoD documents. Transmission outside CONUS must be by a means approved for transmission of Secret material. The material shall be enclosed in two opaque envelopes or containers. equipment. Handling. or sabotage of DoD SNM.1-R. the documents shall be marked as if the information were For Official Use Only. opaque envelope or wrapping. the criteria for allowing access to SBU information are the same as those used for FOUO information. equipment. DEA Sensitive material may be transmitted within CONUS by first class mail.

htm Link to Document: http://fas." "Sensitive Information" as defined in the Computer Security Act of 1987. There are other types of information that require application of controls and protective measures for a variety of reasons. January 1997. Document Source: Federation of American Scientists. January 1997.S.O. "Sensitive But Unclassified" (formerly "Limited Official Use") information. Department of Defense.” Link to Document: www. Source Organization: Department of Defense Description/Summary: The requirements of the Information Security Program apply only to information that requires protection to prevent damage to the national security and has been classified in accordance with E. Non-record DoD UCNI document may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers. or in locked buildings." Since classified information and unclassified controlled information exist side-by-side in the work environments – often in the same documents – this appendix is provided as an attempt to avoid confusion and promote proper handling. Dissemination. 12958 or its predecessors.S. and provides basic information about the nature of this information and the procedures for identifying and controlling it. DoD Freedom of Information Act (FOIA) Program.7. “Appendix C.dod. September 1998 Source Organization: Department of Defense Description/Summary: This regulation is reissued under the authority of DoD Directive 5400. or cabinets if Government or Government-contract building security is provided.C.mil/nii/other/5200_ap3. or similar items. Document Source: United States. Section 1. AP3 Appendix 3.” 16 .doc Topic: Definition. Controlled Unclassified Information.htm Topic: Safeguards. and information contained in technical documents. Handling.” http://fas. Information Security Program. This information is known as "unclassified controlled information. 33) and Component records management directives. rooms. The types of information covered in this appendix include "For Official Use Only" information.1-R. Information Security Program. It provides guidance on the implementation of the Freedom of Information Act.org/irp/doddir/dod/5200-1r/appendix_c. the appendix refers to other Department of Defense (DoD) Directives that provide more detailed guidance. Appendix C. "DEA Sensitive Information. Markings. Transmission Document Number: DOD 5400. It covers several types of unclassified controlled information.7R Document Title: DOD Freedom of Information Act Program.1-R. Controlled Unclassified Information. Code and CFR authorities. bookcases. See also Section on Unclassified Controlled Nuclear Information for U.” September 29. desks. Procedures Document Number: DOD 5200. “Special Types of Unclassified Information Requiring Protection. as amended by the “Electronic Freedom of Information Act Amendments of 1996. Appendix C Document Title: DOD 5200. In some cases." "DoD Unclassified Controlled Nuclear Information. Section 1.Library of Congress – Federal Research Division SBU Information accordance with the Federal Records Act (44 U. file cabinets. desks.org/irp/doddir/dod/5200-1r/appendix_c. DoD UCNI may be stored in unlocked containers. DOD 5200. 1997.1-R.

” Technical data can be further described as “technical data with military or space application” such as any blueprints. drawings. that “would make a significant contribution to the military potential of any country or combination of countries and that may prove detrimental to the security of the United States.fas. operate. DoD 5400.pdf Link to Document: http://www. instructions. Link to document: http://www.Library of Congress – Federal Research Division SBU Information This document describes safeguards to protect sensitive information. engineer. 32 CFR Part 250 . and how sensitive information should be disseminated and transmitted.dtic. Department of Defense.pdf Topic: Exemptions Document Number: 03-CORR-017.pdf Technical Data Topic: Definition Documents: 10 USC 130 . plans. computer software and documentation. The memorandum lists exemptions for the release of voluntarily submitted critical infrastructure information under the provisions of the Freedom of Information Act. 2003. produce.pdf Link to Document: http://www.Withholding of Unclassified Technical Data from Public Disclosure Source Organization: Secretary of Defense Description/Summary: Technical data is defined as a component of critical technology. or reproduce any military or space equipment. http://www.org/sgp/foia/dod032503. manufacture. September 1998. or other technical information that can be used or be adapted for use to design.mil/whs/directives. which may include SBU information.dtic. repair.Withholding of Unclassified Technical Data from Public Disclosure.25 . overhaul. Source Organization: Department of Defense Description/Summary: This memorandum states that Exemption 3 of the Homeland Security Act of 2002 does not apply to the Department of Defense. Document Source: Defense Technical Information Center. March 25. or militarily critical technology.dtic. http://www.fas.mil/whs/directives/corres/pdf/54007r_0998/p54007r. Memorandum: Freedom of Information Act (FOIA) Requests for Critical Infrastructure Information (CII). specific markings that should be given to sensitive information.Authority to Withhold from Public Disclosure Certain Technical Data. DoD exemptions to FOIA.mil/whs/directives/corres/pdf/54007r_0998/p54007r. 17 .7R. Document Source: Federation of American Scientists. DOD Freedom of Information Act Program. DoD Directive 5230.org/sgp/foia/dod032503. Document Title: Memorandum: Subject: Freedom of Information Act (FOIA) Requests for Critical Infrastructure Information (CII).

” Unclassified export-controlled DoD technical data may be presented in DoD-related scientific and technical meetings and papers when the recipients are eligible to receive such data as established by 32 CFR Part 250. Authority must be sought from the controlling DoD office if a contractor needs to disseminate technical data for any other reason. 32 CFR Part 250 . DoD Directive 5230. or local governmental agency for regulatory purposes or as required by law or court order.Authority to Withhold from Public Disclosure Certain Technical Data. Note: Parallel Authority for 10 USC 130 is 32 CFR Part 249.mil/whs/directives. For the latter element. contractors when the data relate to a legitimate business purpose. the Militarily Critical Technologies List should be consulted for guidance.mil/whs/directives.dtic. but if the release of such data for purposes other than direct support of DoD activities could jeopardize an important U. “Presentation of DoD-Related Scientific and Technical Papers at Meetings.S.S.S.S. Topic: Sanctions Document Number: 10 USC 130 .S. authorization or license for export under E. the data should be withheld. DoD Directive 5230.Withholding of Unclassified Technical Data from Public Disclosure Source Organization: Secretary of Defense Description/Summary: Technical data may be released to qualified U. Topic: Authorized Dissemination of Technical Data Documents: 10 USC 130 . Note: The Militarily Critical Technologies List (MCTL) is a detailed compendium of information on technologies that the Department of Defense assesses as critical to maintaining U.Withholding of Unclassified Technical Data from Public 18 . 12470 or the Arms Export Control Act and whether the technical data would disclose critical technology with military or space application. and to other currently qualified U.Withholding of Unclassified Technical Data from Public Disclosure. The same criteria for releasing unclassified documents containing unclassified export-controlled DoD technical data apply to presentations containing such data.dtic. State. to the Departments of State and Commerce for specific purposes.Library of Congress – Federal Research Division SBU Information Topic: Criteria for withholding technical data Documents: 10 USC 130 . 32 CFR Part 250 .25 . contractors may disseminate technical data they have received without prior permission if the purposes for which the data are needed are consistent with their certification. Link to document: http://www. contractors if the purpose for dissemination is within the scope of certified legitimate business. 32 CFR Part 250 .O.mil/mctl. technological or operational advantage. to Congress or any Federal. Link to document: http://www.Authority to Withhold from Public Disclosure Certain Technical Data.Authority to Withhold from Public Disclosure Certain Technical Data.25 . Data may also be disseminated without permission to certain foreign recipients. Qualified U. The MCTL can be accessed on the web at www. military capabilities.Withholding of Unclassified Technical Data from Public Disclosure Source Organization: Secretary of Defense Description/Summary: Determinations regarding the withholding of technical data will be based on whether the data requires an approval.Withholding of Unclassified Technical Data from Public Disclosure.dtic.

S.Withholding of Unclassified Technical Data from Public Disclosure Source Organization: Secretary of Defense Description/Summary: The penalties for unlawful export of information controlled under ITAR or EAR are imprisonment. or both (22 USC 2778. or theft. accuracy. article.S.Authority to Withhold from Public Disclosure Certain Technical Data. fines.Physical Protection of Special Nuclear Material: Limitation on Dissemination of Unclassified Information. or material involving reliance upon any or all technical data. or sabotage of special nuclear materials.Library of Congress – Federal Research Division SBU Information Disclosure. A determination must be made that unauthorized dissemination could reasonably be expected to have a significant adverse effect on the health and safety of the public or the common defense and security by significantly increasing the likelihood of illegal production of nuclear weapons. and among DoD contractors. equipment.S.25 .C. procedures. or completeness of the technical data is not guaranteed. for loss. Qualified U. consultants.Withholding of Unclassified Technical Data from Public Disclosure Source Organization: Secretary of Defense Description/Summary: No liability will be assumed for patent infringements or misuse of technical data.Physical Protection of Special Nuclear Material: Limitation on Dissemination of Unclassified Information. or injury resulting from manufacture or use of any product. Code prohibits the unauthorized dissemination of unclassified information pertaining to security measures. 32 CFR Part 223 Source Organization: Secretary of Defense Description/Summary: U. DoD Directive 5230. and grantees 19 . diversion. DoD Directive 5230. and the adequacy. Unclassified Controlled Nuclear Information Topic: Definition Documents: 10 U.7 Source Organization: Secretary of Defense Description/Summary: Unclassified documents containing DoD UCNI must be marked appropriately in accordance with the regulations. system. Topic: Protections/Controls Documents: 10 USC 128 . including security plans. 32 CFR Part 223. Topic: Disclaimers Document Number: 10 USC 130 . 50 USC app. currency. 32 CFR Part 250 . and equipment for the physical protection of special nuclear material. 2410). contractors who commit unauthorized dissemination of information may lose qualified status and may forfeit eligibility for future contracts with DoD. damage.Withholding of Unclassified Technical Data from Public Disclosure. DoD UCNI may be disseminated in the Office of Defense and various divisions. or facilities. Title 32 of the Code of Federal Regulations Part 223 implements the authority under 10 USC 128 for controlling unclassified information. 128 .25 . NATO.

UCNI must be safeguarded during electronic storage.directives. Department of Energy Link to Document: http://www. physical storage. but not limited to the wide range of government or government-derived economic. Government. http://www. Source: Federation of American Scientists. Governmental interests are those related. and retirement.S. destruction of non-record copies.” Source: United States. alteration. Government by its citizens. as well as the privacy or confidentially of personal or commercial proprietary information provided the U.X.fas.C. or destruction could adversely affect national security or governmental interests. Handling Document Number: None Document Title: Directives Management Document for Proposed DOE O 471.gov/pdfs/nnglossary/termss_z. 32 CFR Part 223.S. technological. misuse.7 Source Organization: Secretary of Defense Description/Summary: Unauthorized disclosure of DoD UCNI justifies investigative and administrative actions. 42 U.Identification and Protection of Unclassified Controlled Nuclear Information.Physical Protection of Special Nuclear Material: Limitation on Dissemination of Unclassified Information. Identifying Information as "For Official Use Only" Source Organization: Department of Energy Description/Summary: Directive to establish a program within DOE to identify and mark sensitive unclassified information that may be exempt from public release under the Freedom of Information Act (FOIA) (to be identified as "For Official Use only"). human.org/sgp/news/doesbu. loss.org/sgp/news/doesbu.html Topic: Definition of Unclassified Controlled Nuclear Information (UCNI) Documents: 10 CFR Part 1017 . 2168 . 1995 Source Organization: Department of Energy Description/Summary: Provides a definition of Sensitive Unclassified Information. agriculture. financial.fas.Dissemination of Unclassified Information Source Organization: Secretary of Energy 20 . Topic: Sanctions Documents: 10 USC 128 . December 18.S. National security interests are those unclassified matters that relate to the national defense or foreign relations of the U.Library of Congress – Federal Research Division SBU Information on a need-to-know basis.html Link to Document: http://www.doe. industrial.pdf Topic: Definition. and law-enforcement information. The definition is as follows: “Information for which disclosure. DEPARTMENT OF ENERGY Topic: Definition Document Title: Safeguards and Security Glossary of Terms.

Identification and Protection of Unclassified Controlled Nuclear Information (UCNI). Topic: Protections/Controls Documents: 10 CFR Part 1017 . FEDERAL AVIATION ADMINISTRATION Topic: Handling Document Number: None Document Title: None Source Organization: Federal Aviation Administration Description/Summary: This document lists telecommunications standards to be used by the Federal Aviation Administration (FAA) in the preparation of specifications and related procurement documents that are used when considering the lease or purchase of telecommunications systems.Identification and Protection of Unclassified Controlled Nuclear Information.itl. Topic: Sanctions Documents: 10 CFR Part 1017 .htm. 21 . Department of Energy Description/Summary: Documents containing UCNI must be marked conspicuously as “Not for Public Dissemination” prior to transmitting or upon retirement. or transmitted.57. services. and certain declassified government information concerning the design.gov/fipspubs/fip81. Link to Document: http://www.gov/sse/directives/o4712a. A Controlling Official will ensure that the information meets specific criteria before it is protected and controlled as UCNI. This document states that equipment and services that are intended for use in the cryptographic protection of sensitive but unclassified computer data shall use one or more of the modes of operation specified in FIPS PUB 81 http://www. DOE O 471. being destroyed. Department of Energy Information Security Program Source Organization: Secretary of Energy.Library of Congress – Federal Research Division SBU Information Description/Summary: UCNI is defined as certain unclassified government information prohibited from unauthorized dissemination under section 148 of the Atomic Energy Act. or use of nuclear weapons that was previously classified as Restricted Data.2A expired 09-26-99 but has been extended to 04-28-05 by DOE N 251.2A.pdf Note: DOE O 471.2A . Categories include: information concerning production/facility design-related information. Department of Energy Information Security Program Directive Source Organization: Secretary of Energy.U. manufacture. Department of Energy Description/Summary: Provides civil and criminal penalties for the illegal dissemination of unclassified controlled nuclear information.oa.doe. Access is granted on a need- to-know basis. or equipment. DOE O 471. must be adhered to in order to prevent unauthorized dissemination.S. 42 USC 2168 – Dissemination of Unclassified Information.S.nist. Regulations pursuant to the physical protection of documents while they are in use or storage. being reproduced. security measures for the protection of facilities and nuclear material contained at these facilities or nuclear material in transit.U.

More specifically. June 25. protection of voluntarily submitted information.html Topic: Definition. and all newly generated documents will be reviewed against certain criteria. 2001. 05-28-2002 22 . its licensees. or the public document room in response to 9/11 events. Criteria include: plant-specific information that would clearly aid in planning an assault on a facility. physical vulnerabilities of nuclear facilities. the public library of ADAMS. This chapter carries out 49 USC 40123. Government Printing Office Link to Document: http://www.gov/reading-rm/doc-collections/commission/comm- secy/2002/2002-0015comscy. Source: United States. The definition of SHSI is based on draft DHS language (not made public). unless otherwise noted. but information of a general nature will not be withheld. will be reviewed against the criteria prior to re-release.gov/nara/cfr/waisidx_04/14cfr193_04.access. 2002) Document Title: Commission Action Memorandum: Withholding Sensitive Homeland Security Information From the Public Source Organization: Nuclear Regulatory Commission Description/Summary: Provides guidance and criteria to be used when considering the release of potentially sensitive information. Access Document Number: Memorandum.Library of Congress – Federal Research Division SBU Information Document Source: United States. Procedures. Source Organization: Federal Aviation Administration Description/Summary: This chapter of 14 CFR describes when and how the FAA protects from disclosure safety and security information that is submitted voluntarily to the FAA. Handling Document Number: 14 CFR Part 193 Document Title: Protection of Voluntarily Submitted Information Source: 66 FR 33805. or contractors will be withheld if its release could provide a clear and significant benefit to an adversary in a potential attack.gpo.pdf Topic: Definition. information that is currently widely available to the public should not be systematically reviewed against the criteria established in this memorandum. Generally. Document Source: United States. Access Document Number: COMSECY-02-0015 (April 4.faa. Nuclear Regulatory Commission Link to Document: http://www. Federal Aviation Administration Link to Document: http://nasdocs. documents that were withdrawn from the NRC external web page.gov/nasiHTML/FAAStandards/faa-std-029d/029d- txt.html NUCLEAR REGULATORY COMMISSION Topic: Definition. information that would be useful for breaching key barriers at nuclear facilities. and information in any type of document that provides the current status or configuration of systems and equipment (except general conditions such as 100 percent power or shutdown). construction details of specific facilities.nrc. information generated by the NRC.

Volume 12 FAM 540. visa. or could have a negative impact upon foreign policy or relations.pdf DEPARTMENT OF STATE Topic: Definition Document Number: Volume 12 Foreign Affairs Manual 540. law enforcement. or other information which. “Sensitive But Unclassified Information (SBU). Nuclear Regulatory Commission Link to Document: http://www. 10-01-1999 Document Title: Access. Source: United States Department of State.” TL:DS-61.state. Dissemination. 23 . Volume 12 FAM 540.” Source: United States Department of State. 1--01-1999. and Release. SBU information includes. 05-26-1995 Document Title: Scope Source Organization: Department of State Description/Summary: Defines Sensitive But Unclassified information: “SBU describes information which warrants a degree of protection and administrative control that meets the criteria for exemption from public disclosure set forth under Sections 552 and 552a of Title 5. and (2) Information offered under conditions of confidentiality which arises in the course of a deliberative process (or a civil discovery process).Library of Congress – Federal Research Division SBU Information Document Title: Commission Action Memorandum. Link to Document: http://foia.state. and information arising from the advice and counsel of subordinates to policy makers. financial.pdf Topic: Controls Document Number: Volume 12 Foreign Affairs Manual 543." Source: United States.gov/reading-rm/doc-collections/commission/comm- secy/2002/2002-0015comsrm. investigatory. personnel.gov/masterdocs/12fam/12m0540.nrc. TL:DS-46.” TL:DS-61. including attorney-client privilege or work product. if released. TL:DS-46. but is not limited to: (1) Medical. could result in harm or unfair treatment to any individual or group.gov/masterdocs/12fam/12m0540. TL:DS-46. 05-26-1995 Document Title: Implementation Source Organization: Department of State Description/Summary: States that regulations regarding "Limited Official Use" (LOU) are superseded and LOU becomes Sensitive But Unclassified (SBU) as of the date of publication. United States Code: the Freedom of Information Act and the Privacy Act. 1--01-1999. Approving COMSECY-02- 0015 Source Organization: Nuclear Regulatory Commission Description/Summary: Memorandum approving criteria proposed in COMSECY-02-0015 - "Withholding Sensitive Homeland Security Information From the Public. “Sensitive But Unclassified Information (SBU). Link to Document: http://foia. 05-28-2002. b.pdf Topic: Implementation Document Number: Volume 12 Foreign Affairs Manual 542.

phone. 1--01-1999.S. or secured in a locked container. and Destruction Source Organization: Department of State Description/Summary: Regardless of method. Government function if not otherwise prohibited by law. dissemination. SBU documents must be destroyed by shredding or burning. Volume 12 FAM 540. or interagency agreement. custodians of SBU information should decide whether specific information warrants a higher level of protection accorded by a secure fax. Employees may circulate SBU material to others.” TL:DS-61. Mailing. or other encrypted means of communication.pdf Topic: Consequences Document Number: Volume 12 Foreign Affairs Manual 545. Since information transmitted over unencrypted electronic links such as telephones may be intercepted by unintended recipients. the requirements found in 12 FAM 600 (Information Security Technology) must be met. Provides references to Foreign Affairs Manuals that provide specific information on regulations.state.” TL:DS-61. SBU information must be secured within a locked office or suite. Safeguarding/Storage. Source: United States Department of State. or by other methods consistent with law or regulation. commercial messenger. Link to Document: http://foia. APO.Library of Congress – Federal Research Division SBU Information Source Organization: Department of State Description/Summary: U. transmission of SBU information should be effected through means that limit the potential for unauthorized public disclosure. provided it is packaged in a way that does not disclose its contents or the fact that it is SBU.S. “Sensitive But Unclassified Information (SBU). to carry out an official U. TL:DS-46. and release of SBU material. SBU information may be sent via the U. Volume 12 FAM 540. During nonduty hours.gov/masterdocs/12fam/12m0540. but should carry a distribution restriction to make the recipient aware of specific controls.gov/masterdocs/12fam/12m0540. Link to Document: http://foia. 05-26-1995 Document Title: Responsibilities Source Organization: Department of State Description/Summary: Provides a general warning of consequences for person or persons guilty of unauthorized disclosure of Sensitive But Unclassified information. citizen direct-hire supervisory employees are responsible for access. 06-08-1995 Document Title: Sensitive But Unclassified Handling Procedures: Transmission. including Foreign Service nationals. TL:DS-46.S. or unclassified registered pouch. Source: United States Department of State. 1--01-1999. To protect SBU information stored or processed on automated information systems.state. Postal Service. “Sensitive But Unclassified Information (SBU). SBU information is not required to be marked. Employees will limit access to protect SBU information from unintended public disclosure.pdf Topic: Controls Document Number: Volume 12 Foreign Affairs Manual 544. processes and 24 . regulation.

gov/masterdocs/12fam/12m0660. Volume 5 Foreign Affairs Manual 751. 4-19-1996 Document Title: Communications Security (COMSEC) (SBU) Source Organization: Department of State Description/Summary: This subchapter has been designated Sensitive But Unclassified— NOFORN. 4-19-1996. 02/02/2000 Document Title: Department of State Telegram.gov/masterdocs/12fam/12m0540. Volume 12 FAM 540. Source: United States Department of State.fas.state.html Link to Document: www. Department of State.2. Guidance For Drafting Sensitive But Unclassified Telegram Source Organization: Department of State Description/Summary: Describes how documents containing sensitive but unclassified information should be labeled. but the Department of State would not release the information for security reasons. TL:IM-39.gov/masterdocs/05FAM/05M0750. “Communications Security (COMSEC) (SBU). Source: United States Department of State. “Executive Order 12958: Telegram Ref: 95 State 232445.gov/masterdocs/05FAM/05M0750.” http://foia. Volume 12 Foreign Affairs Manual 660.org/sgp/news/2000/02/sbu. 02/02/2000.org/sgp/news/2000/02/sbu.state. to All Diplomatic and Consular Posts US Office Pristina Special Embassy Program. Link to Document: http://foia. TL:IM-39. 06-13-2003. SBU information marked NOFORN or with other restricted distribution must be transmitted on the classified INTRANET.state.pdf 25 .2. Source: United States Department of State. TL:DS-52.” Federation of American Scientists. Attempts were made to gain a hard copy of this section of the Manual. Handling. 06-13-2003 Document Title: Email: Prohibitions When Using Email Source Organization: Department of State Description/Summary: Sensitive But Unclassified (SBU) e-mail may be transmitted on the unclassified INTRANET.PDF Topic: Transmission Document Number: Volume 12 Foreign Affairs Manual 660.Library of Congress – Federal Research Division SBU Information penalties for person or persons guilty of unauthorized disclosure of Sensitive But Unclassified information. Source: United States. and it is not included in the CD-ROM or available online.PDF Link to Document: http://foia.html Topic: Transmission and Handling Document Number: Volume 5 Foreign Affairs Manual 751. TL:DS-52. “Sensitive But Unclassified Information (SBU).” http://foia.fas.pdf Topic: Definition.” TL:DS-61. SBU e-mail may not be transmitted over the INTERNET. and Procedure Document Number: Executive Order 12958: Telegram Ref: 95 State 232445. http://www.state. “Email: Prohibitions When Using Email. 1--01-1999.

pdf Topic: Marking. but must be protected from disclosure.gov/masterdocs/12fam/12m0660. 4350 Suspension. This control designation must appear at the top and bottom of any cover. and last page of the document.state. 4360 Separation for Cause.Library of Congress – Federal Research Division SBU Information Link to Document: http://foia. Transmission Document Number: Volume 12 Foreign Affairs Manual 620.gov/masterdocs/05fah01/CH0130.state.” http://foia. Source: United States Department of State.pdf Topic: Sanctions Document Number: Volume 3 Foreign Affairs Manual 4300. 4330 Admonishment. 4370 List of Offenses Subject to Disciplinary Action Foreign Services. “Disciplinary Action (Including Separation for Cause). Handling Document Number: 5 FAH-1 H-200 and 5 FAH-1 H-210 (TL:CH-09.” Link to Document: http://foia. title page. Volume 3 FAM. TL:DS-87. Volume 12 FAM 620. 07-12-2004) 26 . Handling Document Number: 5 FAH-1 H-135 (TL:CH-4. see 5 FAH-1 H-200 for SBU telegrams. “Unclassified Automated Information Systems. 4340 Reprimand.pdf Topic: Marking.foia. Source: United States Department of State.state.gov/REGS/fams.gov/masterdocs/12fam/12m0620. 4320 Disciplinary Action Common Practices. “Administrative Control Marking. Department of State FOIA Electronic Reading Room Topic: Handling. See 12 FAM 540 for further information. Transmission.asp?level=2&id=3&fam=0 Link to Document: U. Source: United States Department of State. Volume 5 FAH 620. 01-08-2003 Document Title: Unclassified Automated Information Systems Source Organization: Department of State Description/Summary: Procedures for transmission of SBU over the Unclassified Automated Information System.state. first page.” Link to Document: http://www. however all section are relevant since they describe the sanctions and procedures for responding to the improper or unauthorized release or handling of information generally. 07-31-2002) Document Title: Administrative Control Marking Source Organization: Department of State Description/Summary: The administrative control designation (SBU) protects documents that do not contain national security information.S. No one subsection details specific sanctions or procedures for responding to the improper or unauthorized release of SBU. Document Title: Disciplinary Action (Including Separation for Cause) Source Organization: Department of State Description/Summary: Section 4300 contains the following subsections that deal with various aspects of disciplinary action: 4310 Disciplinary Action-General.

transfers the FAA’s rules governing civil aviation security to TSA and amends the former FAA rules to enhance security as required by the Aviation and Transportation Security Act (ATSA). 28066).pdf TRANSPORTATION SECURITY ADMINISTRATION Topic: Definition – Sensitive Security Information (SSI) Documents: 49 CFR 1520 – Protection of Sensitive Security Information Source Organization: Transportation Security Administration Description/Summary: Sensitive Security Information (SSI) is defined as information obtained or developed during security activities. “Telegrams” and Volume 5 Foreign Affairs Handbook 1 H-210.gov/masterdocs/05fah01/CH0210. 1520 in order to protect the confidentiality of maritime security measures that were adopted under the U. confidential business information. Topic: Protection and Control of SSI Documents: 49 CFR 1520 – Protection of Sensitive Security Information Source Organization: Transportation Security Administration Description/Summary: Persons subject to the requirements of part 1520 are considered “covered persons” who have a duty to protect information by adhering to restrictions on the disclosure of SSI. To this end. security directives. reveal trade secrets or privileged or confidential information. 107-71. HOW TO USE TELEGRAMS (TL:CH-09.” Link to Document: http://www. vulnerability assessments. or any information that TSA determines is SSI under 49 U. February 22. which implement the Maritime Transportation Security Act (MTSA). By issuing this interim final rule. must 27 . a covered person must take reasonable steps to safeguard SSI. security screening information. performance specifications. 2004 Federal Register (69 Fed. Coast Guard’s regulations. critical aviation or maritime infrastructure asset information.state.S.S. threat information.foia. Reg.S. security measures. or be detrimental to the security of transportation. 07-12-2004) Source Organization: Department of State Description/Summary: Details how to mark and handle telegrams containing SBU. security training materials.C. replacing 14 CFR 191. 114(s) or that the Secretary of DOT determines is SSI under 49 U. Because of this transferal. Reg. Source: United States. Volume 5 Foreign Affairs Handbook 1 H-200. TELEGRAMS and Volume 5 Foreign Affairs Handbook 1 H-210. the disclosure of which would constitute an unwarranted invasion of privacy.L. 67 Fed. 2002.Library of Congress – Federal Research Division SBU Information Document Title: Volume 5 Foreign Affairs Handbook 1 H-200. further revising 49 Fed. information circulars. information obtained from research and development activities. security inspection or investigative information. P. Reg. Such information includes: security programs and contingency plans.C. TSA is expanding the scope of its SSI regulation to cover security measures required by the MTSA regulations. Also of note: an interim final rule was published in the May 18. 8340. Note: TSA’s final rule. systems security information. Department of State. identifying information relating to certain transportation security personnel. rules for protecting sensitive security information will now be found in 49 CFR 1520. may disclose or provide access to SSI only to other covered persons with a need to know. “How To Use Telegrams. 40119.

in certain enforcement proceedings. Topic: Sanctions Documents: 49 CFR 1520 – Protection of Sensitive Security Information Source Organization: Transportation Security Administration Description/Summary: Consequences of unauthorized disclosure of SSI include civil penalties and other enforcement or corrective action by DHS.Library of Congress – Federal Research Division SBU Information mark SSI in a specified manner. and when a conditional disclosure would not be detrimental to transportation security. the TSA or Coast Guard may disclose redacted SSI records in response to a proper FOIA or Privacy Act request. 28 . Disclosures to committees of Congress and the Government Accountability Office are not precluded by this regulation. For example. and appropriate personnel actions for Federal employees. and report unauthorized disclosures. dispose of SSI in a specified manner. Topic: Authorized Disclosure Documents: 49 CFR 1520 – Protection of Sensitive Security Information Source Organization: Transportation Security Administration Description/Summary: Records containing SSI are not available for public inspection except when disclosure is specifically authorized.